February 22, 2011

This is turning into one of the best stories so far this year, and yet it seems doomed to only be known by geeks. Still spinning quickly, with new revelations daily, but it goes a little something like this:

Three security firms--Palantir Technologies, HBGary Federal, and Berico Technologies--are hired by law firm Hunton and Williams to neutralize the potential threat posed by Wikileaks' releases.

Aaron Barr at HBGary proposes leveraging his experience with social networks to expose the identities of active Anonymous members.

HBGary/Barr publicly discuss their investigations of Anonymous; Anonymous then retaliates with a DDoS on the HBGary web site.

Barr then approaches Anonymous members in an IRC chat as part of his preparation for an upcoming presentation. Soon after: Anonymous compromised the company's website and then copied internal documents and 60,000+ e-mails to BitTorrent for anyone to download. For further fun, they also vandalized Barr's Twitter and LinkedIn. To state the obvious: this was all done in short order and to a presumably skilled security company who had major contracts with the US government.

The leaked documents are poured over by journalists. They reveal that HBGary was hired to spread lies about Wikileaks, its leader Assange, civil rights lawyer and vocal supporter of Wikileaks Glenn Greenwald, and Anonymous. Anonymous has done much digital mischief in support of Wikileaks, including DDoS attacks on the web sites of Visa, Mastercard, and PayPal--all corporations who refused to honor individuals' donations to Wikileaks. Barr viewed Anonymous as both appropriate collateral damage and good publicity.

Further examination reveals that the US govt was behind many of the HBGary plans, including proposed attacks on unions. How timely, Wisconsin.

9 Feb 2011 - How one man tracked down Anonymous--and paid a heavy price - Ars wrap-up after Aaron Barr, HBGary, and HBGary's chances at being purchased for millions of dollars, lie in ruins. The hubris of Barr is revealed in conversations with a developer at HBGary attempting to hold him back: [Y]our numbers are too small to draw the conclusion but you don't want to accept it. Your probability based on frequency right now is a gut feeling. Gut feelings are usually wrong.

11 Feb 2011 - The leaked campaign to attack WikiLeaks and its supporters - Salon's writer/target Glenn Greenwald examines the issue and points out that Hunton & Williams was recommended to Bank of America's General Counsel by the Justice Department -- meaning the U.S. Government is aiding Bank of America in its defense against/attacks on WikiLeaks. Copious footnotes and link as usual. Required reading. Palantir and Berico eventually issue a condemnation of the targeting of Salon and Greenwald.

I had read about Barrett Lyon a few years back when his CSO story was linked around on Slashdot etc. At the time--and this is five years ago--a big enough bot net could take anyone down. Lyon built one of the first (*the* first?) DDoS firewalls to protect gambling sites from, what turned out to be Russian, extortionists. The CSO article ends wryly, noting that companies now pay around $50,000 to protect themselves from having to pay protection. Insert joke here about virus scanners slowing down your machine so that viruses can't.

The fact that Google can be attacked, and that they'd partner with the NSA, illustrates the gravity of the current threat. This time, it's not just thugs but government sanctioned thugs. I've read in Slashdot threads that Russia has the same tactics: leverage their hackers to disrupt Western corporations and governments. It's nice to know that the US doesn't stoop to such measures (insert joke that when *we* do it, it's not torture).

Lyon's company started protecting Scientology sites after Anonymous started their Project Chanology raids in January 2008. Since Anonymous employs multi-honed attacks (DDoS, black faxes, picketing, information) a firewall offers only partial protection. And, as had been shown with the Marblecake hack, sites can be subverted without being taken down. The True/Slant article references a Neuromancer quote as prediction of the decentralized, directed mob that is Anonymous. They're doing what any activists do: bring attention to an injustice. Reading the inevitable panic-stricken comments denouncing Anonymous, it's interesting to note the difference between "activist" and "terrorist".

The internet is at that awkward age of being both fragile and essential. Small groups like Anonymous are leveraging that fragility as much as are governments. Grab some popcorn; watch the show.

[ updated 25 Feb 2010 ]

US unable to win a cyber war [ via Slashdot ] reaffirmed that the US's extra-connectiveness increases its weaknesses. One proffered solution is to give the Pres access to the on/off switch of the internet (Reminding me of a two-panel cartoon I saw on the internet years back showing the difference between defending a cyber attack in the movies and IRL. The movie scene has the hero spewing 24-style techno-babel that barely makes sense in the fictional world. The real scene has the pimply tech grab the router and pull out the network cable. The Slashdot thread has an oddly compelling comment on what will happen when shit gets real.

April 16, 2009

Those wacky kids on 4chan were at it again. Their target this month? The Time.com poll of the 100 most influential people in the world. Their goal had originally been to put 4chan creator Moot at the top, but after that proved to be too easy they aspired to a higher purpose and gamed the results to spell a "secret message" with the first letters of the names in the list. Eschewing the mundane (e.g. spelling out "eat me" or some such), they went with the more cryptic "marblecake, also the game". Take that, NSA.

I'd first seen the result from a post on Reddit and, honestly, almost didn't believe that they could do it. But after reading Music Machinery's interview with one of the perpetrators [ also via Reddit ], I can't believe what web dev dorks the people at Time.com are. If the interview is to be believed, their poll accepted any and any number of GETs to add a vote. ?!? While the rest of us are puzzling over XSS vulnerabilities, Time breaks the first rule of GET. The rest of the interview (with Zombocom, referencing the always-entertaining http://www.zombo.com/) revealed the details of how they wrote tools to attack each part of the problem. One script busily kept names beginning with unwanted letters out of the top; another sorted the remaining names to spell the message. Although the interviewer grossly overstated the importance of what was done, the casual manner that web skills are applied by this community is interesting. Kids used to work on car engines.

So, what next for 4chan? Well over the past few days they've been working to put both Ashton Kutcher and CNN in their place. The two are in a battle to be the first Twitter users with 1,000,000 followers. 4chan has put it's weight behind a certain account called basementdad. Followers (whose IDs consist of a suspicious mangle of the same few names) appear to be increasing at a few hundred every 15 minutes or so.

[ updated 28 Apr 2009 ]

Music Machinery posted an update [ via Reddit ] on how Anonymous beat the last-minute addtion of CAPTCHA and finished with a win. Bravo.